fiat shamir and correlation intractability from strong
play

Fiat-Shamir and correlation intractability from strong kdm secure - PowerPoint PPT Presentation

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum Eurocrypt 2018, Tel Aviv 1 2 How are you? 3 How are you? Great! How are you? 4 How are you? Great! How


  1. Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum Eurocrypt 2018, Tel Aviv 1

  2. 2

  3. How are you? 3

  4. How are you? Great! How are you? 4

  5. How are you? Great! How are you? Great! 5

  6. How are you? Great! How are you? Great! Have a great day! A typical 4-message greeting protocol in America 6

  7. Israeli 7

  8. What’s up? Israeli 8

  9. What’s up? Not bad. Israeli 9

  10. What’s up? Not bad. Israeli Round reducing, fast and clean! 10

  11. Fiat, Shamir 86: 3 round interactive protocol => 1 round argument 11

  12. a P V b (public coins) c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument 12

  13. a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument 13

  14. a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. 14

  15. a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. 15

  16. a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. A very popular paradigm, hard to argue security with a concrete property. 16

  17. a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. A very popular paradigm, hard to argue security with a concrete property. Kalai, Rothblum, Rothblum 17: iO + more => Fiat-Shamir for proofs 17

  18. This talk: 1. Correlation intractability => Fiat Shamir for proofs 2. Show that for T = Enc k (m) H T (x) = Dec x (T) is correlation intractable if (Enc, Dec) is exp. KDM secure. 3. More about correlation intractability 18

  19. Part I: What is correlation intractability? 19

  20. Correlation Intractability “infeasibility of finding ‘sparse’ input-output relations” --- Canetti, Goldreich, Halevi 1998 20

  21. Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” 21

  22. Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] 22

  23. Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] For all sparse relations R: 23

  24. Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] For all sparse relations R: Adversary Challenger h 24

  25. Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] For all sparse relations R: Adversary Challenger h x, (as a result, y=h(x)) Adversary wins if R(x, y)=1 25

  26. Correlation intractability => Fiat-Shamir for proofs [ Hada, Tanaka 99; Dwork et al. 99 ] 26

  27. An interactive proof system a A B b (public coins) A B => a, b=H(a), c c Fiat, Shamir 86: 3 round proof system => 1 round argument 27

  28. An interactive proof system a A B b (public coins) A B => a, b=H(a), c c Fiat, Shamir 86: 3 round proof system => 1 round argument Fiat, Shamir relation: (the instance x is part of a or c) R(a, b)=1 if ∃ c s.t. x ∉ L and Verifier(x, a, b, c) accepts 28

  29. An interactive proof system a A B b (public coins) A B => a, b=H(a), c c Fiat, Shamir 86: 3 round proof system => 1 round argument [ Bitansky et al. ‘13 ] for proof systems, impossible from black-box reductions to falsifiable assumptions. 29

  30. More quick facts of correlation intractability Impossible when key/seed is short [ Canetti, Goldreich, Halevi 98 ]. 30

  31. More quick facts of correlation intractability Impossible when key/seed is short [ Canetti, Goldreich, Halevi 98 ]. Our goal: capture as many sparse relations as possible, including the relations that cover Fiat-Shamir for proofs. 31

  32. Part 2: How to construct correlation intractable functions? 32

  33. Existing constructions: 33

  34. Existing constructions: 34

  35. Existing constructions: 35

  36. 36

  37. 37

  38. 38

  39. 39

  40. 40

  41. 41

  42. 42

  43. 43

  44. Construction 44

  45. 45

  46. 46

  47. g ax+b 47

  48. [xA+b] 48

  49. Analysis 49

  50. 50

  51. 51

  52. 52

  53. 53

  54. 54

  55. 55

  56. ∊ 56

  57. ∊ ∊ ⋅ 57

  58. ∊ ∊ ⋅ ∊ ⋅ 58

  59. ∊ ∊ ⋅ ∊ ⋅ ∊ ⋅ ∊ 59

  60. ∊ ∊ ⋅ ∊ ⋅ ∊ ⋅ ∊ 60

  61. Part 3: More … Correlation intractability & Bitcoin 61

  62. H(???...?)=000000….XYZ3d83h 62

  63. H(???...?)=000000….XYZ3d83h Quantitative correlation intractability: For all relations of density d, all adversaries running in time T succeed with probability f(d, T). 63

  64. Quantitative correlation intractability. Multiple-input-output relations. Future directions 64

  65. Thanks for your time! 65

Recommend


More recommend